Small, but Mighty: Three-Quarters of DDoS Attacks Less Than 100 Mbps

More than a third of companies endured a disruptive attack last year, according to a new survey [pdf].

Thirty-five percent of those surveyed across industries dealt with at least one Distributed Denial of Service (DDoS) incident, with attacks on the retail sector seeing the largest year-to-year increase (16 percent to 39 percent), making for a 144 percent bump. Financial services organizations also continue to suffer from these attacks, seeing a modest 38 percent year-to-year increase (32 percent to 44 percent), according to DDoS mitigation provider Neustar who, back in February, polled 704 IT professionals across North America on how they dealt with DDoS attacks and their impact on business.

These results appear to mesh with Akamai's newly released State of the Internet report [pdf], which found an increase in DDoS attack activity. In 2012, Akamai customers reported 768 DDoS attacks, a year-over-year increase of more than 200%. As with Neustar, commerce customers were the target of over a third, while another 20% targeted enterprise customers.

Alex Berry, Senior Vice President, Enterprise Services at Neustar reiterated in a press statement a theme that was constant throughout the report: Preparation, preparation, preparation.

"The consequences of being unprepared to mitigate a DDoS attack can be crippling to businesses,” said Berry. “It isn’t just about possible revenue loss – it’s about erosion in trust, brand value and reputation.”

It might not be just about revenue loss, but Neustar found that there are financial ramifications to sustained downtime.

The survey found more companies in 2012 (74 percent vs. 65 percent in 2011) indicated that a DDoS outage would cost them up to $10K per hour, while another 26 percent reported revenue risks at $50-100K per hour. While the financial costs associated with disruptive DDoS attacks can vary, the survey found that there are other variables.

"Beyond immediate loss of revenue, DDoS exacts costs that are difficult to measure: erosion of brand value, reputation and customer trust. From a product page that won’t load to a ticket purchase that can’t be confirmed, short-term inconveniences become long-term PR problems," said the report.

The report found that size doesn't necessarily matter, with nearly three-quarters (73 percent) of all DDoS attacks took up less that 100 Mbps of bandwidth, while only 2 percent clocked in at more than 20 Gbps. That doesn't necessarily mean these attacks won't do any damage.

"Industry experts agree that a well-crafted, multi-vector attack as small as 2 Gbps, a common attack size, can take down a site," said the report.

So what are organizations doing about these attacks? There's your silver lining.

Last year, Neustar found that roughly a quarter (25 percent) of survey organizations reported no DDoS protection in place. This year, that figure fell to only 8 percent. IT personnel are getting the message: there was a 10 percent increase in the use of firewalls, switches and routers; a 6 percent rise in DDoS mitigation hardware; and a 2 percent uptick in other protection measures, according to the survey.

Despite the rise in deployment of firewalls, routers and switches for DDoS protection, Neustar found that these networking products create bottlenecks that actually aid attackers.